Re: [GNU-linux-libre] Free firmware - A redefinition of the term and a new metric for it's measurement.

[David Craven]

Hi Maxim

> +1. I don't see how having blobs helps security at all.

Well the problem I was getting at is that things are not as fixed as
they may seem.
Quoting wikipedia:

>> Decreasing cost of reprogrammable devices had almost eliminated the market 
>> for mask ROM by the year 2000.

Translation: ROM is not RO.

It is not a theoretical threat, and just as dangerous as other threats
that people put a lot of effort in avoiding [0]

I don't see how trusting the manufacturer when buying the product is
any different from trusting him down the road. I was talking about
malicious third parties. Obviously planting something in difficult to
upgrade persistent memory is a lucrative target for attackers -
manipulating firmware becomes plain uninteresting in the other case.

> The companies that should be the rewarded are the ones that release
> firmware, source code, and tool chain. E.g., Thinkpenguin and the TPE-R1100.

> Indeed, we ought to put our money where our mouth is, i.e. back the
> companies which are helping the cause of free software/hardware.

I don't think they actually produce any silicon, toolchain or firmware
themselves. At least I didn't find a link to it. So they are basically
using other peoples silicon, toolchain and firmware. Giving them
credit for complying with the GPL is not quite right either. (But I
don't know who's behind the thinkpenguin and it looks like a great
accomplishement).

To independently verify the claim that the firmware they are using is
indeed fixed, would actually require them to release both schematics
and datasheets of their designs.

[0] https://www.wired.com/2015/02/nsa-firmware-hacking/